Help me analysis what did hacker do?

navara navara at shalmirane.net
Thu Jul 17 04:51:23 PDT 2003


> > In / directory I find out a .bash_history file.
> 
> What a strange "cracker" who leaves behind him a .bash_history in / ??? did you mean ~/
> 
> Moreover It is a good Idea if this "cracker" got root to backup the original ~/.bash_history first to restore it afterwards. Don't forget also that the backup process will change the date of the file, so it is also a good idea to restore the old time flag on your retored file :)
> 
> cp ~/.bash_history ~/.bash_history_back
> 
> ls -l ~/.bash_history
> -rw-------    1 xxx     xxx         1185 jui 16 20:42 /home/xxx/.bash_history
> 
> [do what you want]
> 
> cp ~/.bash_history_back ~/.bash_history && rm ~/.bash_history_back
> 
> touch -t 07162042 ~/.bash_history
> 
> This would restore the original time flag of the file, but take care of the last command (the backup process) that you left behind you after backuping the file. Enventually clear the entry by hand before the 'touch'.
> 
> Finally it is also handy to clear the log files >

And dont forget, that all comands saves after logout :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-security/attachments/20030717/3fde5211/attachment.sig>


More information about the lfs-security mailing list